API ReferenceMiddleware
Middleware Packages
First-party middleware for security, parsing, and observability.
NextRush provides first-party middleware packages for common HTTP concerns. Each package is independently installable and designed for production use.
Available Middleware
Loading diagram...
Quick Reference
| Package | Purpose | Common Use Case |
|---|---|---|
| @nextrush/cors | Cross-origin requests | Browser API access |
| @nextrush/helmet | Security headers | Production hardening |
| @nextrush/body-parser | Request body parsing | JSON/form APIs |
| @nextrush/rate-limit | Request throttling | API protection |
| @nextrush/compression | Response compression | Bandwidth reduction |
| @nextrush/cookies | Cookie handling | Session management |
| @nextrush/request-id | Request tracking | Logging/debugging |
| @nextrush/timer | Response timing | Performance monitoring |
Installation
Install only what you need — each package is independent.
$ pnpm add @nextrush/cors @nextrush/helmet
Add more as needed:
$ pnpm add @nextrush/body-parser @nextrush/rate-limit @nextrush/compression
Usage Pattern
All middleware follow the same usage pattern:
import { createApp } from '@nextrush/core';
import { cors } from '@nextrush/cors';
import { helmet } from '@nextrush/helmet';
import { json } from '@nextrush/body-parser';
const app = createApp();
// Security first
app.use(helmet());
app.use(cors({ origin: 'https://example.com' }));
// Then parsing
app.use(json());
// Then your routes
app.use(async (ctx) => {
ctx.json({ data: ctx.body });
});Middleware Order
Order matters
Security middleware must run before body parsing. Observability middleware should run first to capture the full request lifecycle.
Recommended sequence:
// 1. Observability (earliest)
app.use(requestId());
app.use(timer());
// 2. Security headers
app.use(helmet());
// 3. CORS (before body parsing)
app.use(cors());
// 4. Rate limiting
app.use(rateLimit());
// 5. Body parsing
app.use(json());
app.use(urlencoded());
// 6. Compression (before response)
app.use(compression());
// 7. Your application routes
app.route('/', router);Class-Based Middleware
All middleware work with both functional and class-based patterns:
import { Controller, Get, UseMiddleware } from '@nextrush/decorators';
import { cors } from '@nextrush/cors';
import { rateLimit } from '@nextrush/rate-limit';
// Apply to specific controller
@UseMiddleware(cors())
@UseMiddleware(rateLimit({ max: 100 }))
@Controller('/api')
class ApiController {
@Get('/data')
getData() {
return { data: [] };
}
}Creating Custom Middleware
Follow the middleware signature:
import type { Middleware } from '@nextrush/types';
// Factory function pattern (recommended)
function myMiddleware(options = {}): Middleware {
return async (ctx) => {
// Before handler
const start = Date.now();
await ctx.next();
// After handler
const duration = Date.now() - start;
ctx.set('X-Custom-Header', String(duration));
};
}
// Usage
app.use(myMiddleware({ option: 'value' }));Next Steps
Explore individual middleware documentation:
- CORS — Enable cross-origin requests
- Helmet — Set security headers
- Body Parser — Parse request bodies
- Rate Limit — Throttle requests